cancel
Showing results for 
Search instead for 
Did you mean: 
mtuma
Level 13
Report Inappropriate Content
Message 11 of 18

Re: S2008 VLAN Routing?

Hello,

If you are going to have more than eight subnets, then it does limit your options a bit.

The first step that you took with creating aliases for each of the subnets on em1 should have worked (as long as no vlan tagging is done on the switches). Why don't you try that and then try to do some ping tests.

Regards,

Matt

Re: S2008 VLAN Routing?

I will try this again when I am back in the office on Tuesday.  When I tried this before I could ping each of the EM1 alias addresses fine but I could not ping any IP on a different subnet from a PC.  I will set it up that way again and let you know what happens.

Re: S2008 VLAN Routing?

OK, I have setup EM1 with the following IP addresses:

192.168.10.1

192.168.11.1

192.168.12.1

192.168.13.1

These are all 24bit subnets.  I can ping each one of the addresses.  Now I need to be able to reach machines on subnet 12 from subnet 10.  I cannot get this to work.  I have a machine with an IP of 192.168.10.5 and another with an IP of 192.168.12.5  I need to be able to communicate between them.  I am not sure what I need to do in the way of rules or some kind of routing etc.  Is this even possible?

Re: S2008 VLAN Routing?

So I came across this thread: https://community.mcafee.com/message/150868#150868

Post #2 states that you must use this command from the CLI:  $> cf agent modify name='TCP/UDP Packet Filter' intrazone_forwarding=yes

Once I did that it appears to be working.  I will do some further testing to make sure.  It would be nice to have this an option in GUI.  Is there a document somewhere that lists all of the commands available in the CLI?

Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 15 of 18

Re: S2008 VLAN Routing?

I was going to mention intrazone forwarding right away, but you have different zones on all your interfaces (or the screenshot shows you do) so you shouldn't need intrazone forwarding for this (since you are going from one zone to a different zone, not within the same zone).

Here is the 8.3.x CLI Guide:

https://kc.mcafee.com/corporate/index?page=content&id=PD24018&cat=CORP_Firewall_Enterprise&actp=LIST

This link will open a PDF.

Re: S2008 VLAN Routing?

Sorry yes I did have different Zones when I was trying the VLAN routing.  I changed it to one zone and setup one interface with multiple IP addresses.  I think me not knowing the term Intrazone Forwarding didn't help me much lol.  I appreciate the link to the CLI commands!

Re: S2008 VLAN Routing?

I've just read these posts. I have a question: If you set up just one interface with multiple IP addresses and one unique zone, you can't enforce any policy between networks because they are in the same zone. I read from documentation that policy enforcement applies when traffic traverse from one zone to another one.

My understanding is with this scenario firewall is only used like a router and not as firewall.

on 10/07/13 14:04:22 ART

Re: S2008 VLAN Routing?

My expierience with doing this is the firewall will not automatically route between the different subnets.  You must create rules that allow an address in one subnet access an address in another subnet even if they are on the same inteface and in the same zone.  This being the case you can control what services or applications are allowed to route to the other subnets.  You would just use the source and destination endpoints properties of the rules to determine which subnets can access each other.  You will have to also create IP Range network objects to use in the rules.  So yes you can enforce policies when traversing across different subnets in the same zone.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community